Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research
Google Threat Intelligence Group identified a PRC-nexus espionage campaign by UNC6508 targeting North American research and defense entities. The actors compromised REDCap servers to deploy INFINITERED, a custom malware that harvests credentials and intercepts software upgrades for persistence. Using stolen credentials, the attackers pivoted to administrative accounts and abused email content compliance rules to covertly exfiltrate sensitive intelligence.
- emailBebitaBarefoot774[@]gmail[.]comThreat actor-controlled Gmail account used for silent BCC email exfiltration via compliance rules.
- filenamehelp.phpWeb shell deployed on compromised REDCap servers for persistence.
- ip23[.]169[.]65[.]49Compromised ASUS router used as part of an obfuscation network for admin logins.
- sha2564efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0bINFINITERED Dropper component.
- sha25651a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045INFINITERED Backdoor component.
- sha25658bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86INFINITERED Dropper component.
- sha2568f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ecINFINITERED Backdoor component.
- sha256ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7Hash for the help.php web shell used for persistence and uploading on REDCap servers.
- sha256c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5bINFINITERED Credential Harvester component.
- sha256db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136INFINITERED Credential Harvester component.
Detection / HunterGoogle
What Happened
A state-sponsored hacking group from China, known as UNC6508, has been targeting medical, academic, and military research organizations in North America. The hackers broke into REDCap servers—a popular research database tool—and installed custom malware to steal passwords and maintain long-term access. They then used these stolen passwords to log into administrative email accounts and secretly forward sensitive emails containing research and defense information to themselves. Organizations should ensure their REDCap servers are fully updated, remove old software versions, and enforce strong multi-factor authentication on all administrative accounts.
Key Takeaways
- UNC6508 compromised REDCap servers to deploy custom INFINITERED malware for credential harvesting and backdoor access.
- The threat actor maintained persistence by intercepting and injecting malicious code into REDCap software upgrades.
- A novel exfiltration technique was observed using manipulated domain content compliance rules (named 'Patroit') to silently BCC-forward sensitive emails.
- Targeted intelligence collection focused on geo-strategic policy, military strategy, advanced technology, and medical research (e.g., Chikungunya pathogen).
Affected Systems
- REDCap servers
- Cloud-based enterprise productivity suites (Workspace/Email)
Attack Chain
UNC6508 gained initial access by exploiting vulnerable legacy versions of externally facing REDCap servers. They deployed a web shell (help.php) and the custom INFINITERED malware, which intercepted REDCap software upgrades to maintain persistence and harvested user credentials. Using these stolen credentials, the attackers pivoted to domain administrator accounts. Finally, they created a malicious email content compliance rule named 'Patroit' to silently BCC-forward sensitive emails matching specific intelligence keywords to a threat actor-controlled Gmail account.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: YARA
The article provides a YARA rule (G_Backdoor_INFINITERED_1) to detect the INFINITERED backdoor in REDCap environments.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect web shell activity (e.g., PHP spawning shells) and file modifications, but INFINITERED operates heavily within the PHP application layer and database, which may evade standard endpoint monitoring without specific application logs. Network Visibility: Medium — Network monitoring could catch the C2 traffic if HTTP cookies are inspected for the REDCAP-TOKEN anomaly, but the traffic is likely encrypted (HTTPS). Detection Difficulty: Hard — The malware trojanizes legitimate application files, intercepts upgrades to persist, and uses legitimate administrative features (compliance rules) for exfiltration, blending in with normal administrative and application behavior.
Required Log Sources
- Web Server Access Logs
- Application Logs (REDCap)
- Email Gateway/Workspace Admin Audit Logs
- Database Query Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected modifications to REDCap upgrade system files or custom hooks configuration files, which may indicate INFINITERED upgrade interception. | File Integrity Monitoring (FIM) or EDR file modification events on web server directories. | Persistence | Low |
| Search for HTTP requests containing the REDCAP-TOKEN cookie parameter, especially those with unusually long or encrypted payloads, indicating potential INFINITERED C2 communication. | Web server access logs or WAF logs. | Command and Control | Low |
| Monitor administrative audit logs for the creation or modification of email content compliance rules, particularly those forwarding to external webmail addresses (e.g., Gmail). | Workspace/Email Admin Audit Logs. | Exfiltration | Medium |
| Check the REDCap sessions database table for session IDs beginning with the prefix xc32038474a, which indicates harvested credentials stored by INFINITERED. | Database query logs or direct database inspection. | Credential Access | Low |
Control Gaps
- Lack of File Integrity Monitoring on web application directories
- Insufficient monitoring of email compliance rule changes
- Absence of Device Bound Session Credentials (DBSC)
Key Behavioral Indicators
- Creation of email compliance rules with typos (e.g., 'Patroit')
- Web server processes executing shell commands (shell_exec)
- Presence of GUID b49e334d-9c01-463e-9bc5-00a6920fb66e in PHP files
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Scan REDCap servers for the presence of INFINITERED using the provided YARA rule and IOCs.
- Review Workspace and email admin audit logs for unauthorized content compliance rules, especially those forwarding to external addresses.
- Fully update REDCap installations to the latest software version and ensure older, legacy versions are completely removed to prevent downgrade attacks.
Infrastructure Hardening
- Enforce phishing-resistant 2-Step Verification (2SV) for all enterprise administrator accounts.
- Consider enforcing Device Bound Session Credentials (DBSC) with CAA for highly sensitive accounts to prevent session hijacking.
- Implement File Integrity Monitoring (FIM) on critical web application directories to detect unauthorized code injection.
User Protection
- Consider enrolling highly sensitive accounts in advanced protection programs for additional safeguards against malware and phishing.
- Use enterprise password leak detection tools to alert when potentially compromised passwords are used.
Security Awareness
- Educate administrators on the risks of credential reuse across different security domains.
- Train security teams to monitor for abuse of legitimate administrative features, such as email compliance and forwarding rules.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1505.003 - Server Software Component: Web Shell
- T1554 - Compromise Client Software Binary
- T1027 - Obfuscated Files or Information
- T1090.003 - Proxy: Multi-hop Proxy
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1689 - Downgrade Attack
- T1555 - Credentials from Password Stores
- T1056.003 - Input Capture: Web Portal Capture
- T1114.003 - Email Collection: Email Forwarding Rule
- T1213 - Data from Information Repositories
- T1071.001 - Application Layer Protocol: Web Protocols
- T1567 - Exfiltration Over Web Service
Additional IOCs
- File Hashes:
db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136(sha256) - INFINITERED Credential Harvester component.c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b(sha256) - INFINITERED Credential Harvester component.8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec(sha256) - INFINITERED Backdoor component.51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045(sha256) - INFINITERED Backdoor component.4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b(sha256) - INFINITERED Dropper component.58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86(sha256) - INFINITERED Dropper component.
- Other:
b49e334d-9c01-463e-9bc5-00a6920fb66e- INFINITERED current software version GUID delimiter used during upgrade interception.xc32038474a- Prefix used by INFINITERED to hide encrypted credentials inside the REDCap sessions database table.REDCAP-TOKEN- HTTP Cookie parameter used by INFINITERED backdoor to receive C2 commands.Patroit- Name of the malicious content compliance rule created by the threat actor for email exfiltration.
